Summary
Currently JWT sessions have a fixed expiry with no refresh mechanism. Users are logged out abruptly and must re-authenticate with their Stellar keypair, hurting UX.
Proposed Solution
- Issue a short-lived access token (15 min) + a long-lived refresh token (7 days)
- Store refresh token hash in the
Session table
- Add
POST /api/auth/refresh endpoint
- Rotate refresh token on each use (single-use)
- Revoke all refresh tokens on logout
Acceptance Criteria
Summary
Currently JWT sessions have a fixed expiry with no refresh mechanism. Users are logged out abruptly and must re-authenticate with their Stellar keypair, hurting UX.
Proposed Solution
SessiontablePOST /api/auth/refreshendpointAcceptance Criteria
POST /api/auth/refreshreturns new access + refresh token pair.env.exampledocumentsREFRESH_TOKEN_SECRETandREFRESH_TOKEN_TTL